From 25 May 2018, the General Data Protection Regulation comes into effect. Yes, it’s an EU-led regulation, but even with the UK leaving, the GDPR will still have a substantial impact on the way British organisations manage personal data.
The GDPR represents the biggest shakeup to data protection in over 20 years. But looking back at how radically the internet has transformed our lives in that time, it’s no surprise that data privacy regulations are due for an overhaul. But how exactly will the GDPR affect your business, and how can you ensure your data protection makes the grade?
Why Brexit (probably) isn’t an issue
Brexit is happening, but it’s unlikely to make a difference to the application of the GDPR in the UK. The UK will still be an EU member when the GDPR comes in, and it will continue to apply in UK law unless the government takes specific action to repeal it.
But the GDPR is very likely to stay on the books. The UK’s Information Commissioner’s Office (ICO) has consistently promoted it as a positive development, and repeated statements from UK officials support it as a welcome enhancement of British data protection legislation.
Even if Brexit means a complete clean break with existing EU data protection rules, any organisation collecting data from individuals within the EU will have to abide by the GDPR. So, for the many UK firms that do business across the EU, the GDPR is a vital concern irrespective of Brexit.
What does the GDPR actually mean?
The GDPR is intended to offer more protection to consumers when it comes to their personal data. It does this by building on existing data protection concepts and introducing new ones to create a more comprehensive set of rules with regard to the collection, processing and storage of personal data.
The definition of personal data will also be updated to include a broader range of information, from genetic and biological details to a person’s economic, social and cultural background.
Data controllers and data processors
The GDPR makes two important definitions regarding organisations that collect, store and manage personal data: data controllers and data processors. A data controller is a party that determines the way personal data is processed, while a data processor does the actual processing.
For example, a company that wants to collect data (the data controller) could outsource the processing of that data to an IT provider (the data processor). Alternatively, an organisation could be both a controller and a processor, but each role has different obligations under the GDPR.
Data protection by design? The right to be forgotten? Data portability?
‘Data protection by design’ means building-in data protection at every level of a product or service. The amount of data captured and the length of time that data is stored should always be kept to a bare minimum. For example, do you really need to collect someone’s full name and address when just their company details will do?
The ‘right to be forgotten’ has been extended, allowing an individual to ask an organisation to completely delete all the data they have on that person. The data controller is responsible for ensuring all data is deleted, even if this requires liaising with third parties. This could involve requesting the removal of personal data from Google search results, for example.
The concept of ‘data portability’ is intended to simplify data transfer processes, for example when an individual requests their data from a company, or when they want to swap energy providers. A key element of data portability is that individuals should have access to their data in a useable form, such as a specified format.
Tougher penalties for shoddy data protection
Nobody likes fines, and under the GDPR they’ll be even higher. Jumping from the ICO’s theoretical maximum fine of £500,000, penalties will reach an upper limit of €20 million or 4% or annual global turnover – whichever is higher.
On top of fines, the increased pressure on businesses to maintain data protection standards means that the PR fallout and reputational damage of a data breach will be significantly magnified.
Stricter deadlines will also apply when reporting data breaches. Outside of special circumstances, organisations must notify their national data protection authority (ICO in the UK) of any breaches within 72 hours.
GDPR compliance: what to do now
While some organisations won’t be affected by the GDPR at all, if you collect, store or process any form of personal data, it’s safe to assume that the GDPR matters. You need to look at your specific obligations in terms of how much data and what kind of data you collect, what you do with this data, whether you’re a data controller or a data processor, and what data protection policies you already have in place.
In the best-case scenario, your existing policies will already be up to GDPR standards. Even when you do need to make changes, if you comply with existing rules, the implementation of new processes is likely to be fairly straightforward.
Organisations should take steps to review existing data protection measures and put new processes in place wherever necessary to comply with the GDPR. Part of this may involve staff training to raise awareness of data protection responsibilities throughout the organisation.
Asking the right questions
How will you react to requests from individuals for their data to be deleted or provided in a particular format? What will your procedures be in the event of a data breach? Any organisation that processes personal data also needs to appoint a data protection officer.
If you’re developing a new product or service that involves personal data, you’ll need to consider data protection by design from the outset. Privacy notices, such as the information available to users on a company website, should also be reviewed to ensure they meet new GDPR standards.
Finally, an important point about consent: even if consent has already been granted from an individual for their data to be processed, this may no longer be enough after 25 May 2018. The GDPR raises the standard of what constitutes consent, so if consent was obtained pre-GDPR, do you need to ask for it again?
The penalties for a data breach under the GDPR are a significant increase from those faced by UK businesses today. Increased fines make the threat of insolvency as a result of a GDPR penalty very real indeed. But by being aware of your responsibilities, implementing stringent security measures, and being crystal clear on the role of the data controllers and data processors in your organisation, you will be in a strong position to calmly navigate the GDPR waters without sinking.
Neal Thoms, Content Editor at Fasthosts
Image Credit: Wright Studio / Shutterstock